Evan Schuman's StorefrontBacktalk

Put another way, it’s the more genteel procedures of corporate IT versus the more physical issues of store-level Loss Prevention. A shoplifting incident, even a violent one, is typically handled at the local level, whereas a data breach (even a small one) almost always is handled by corporate IT. The most innocuous explanation for this incident is that the assistant store manager didn’t recall that there was a backup disk in the safe (loaded guns aimed at an employee’s head tends to unnerve people) and discovered it hours or maybe days later. By that point, the entire investigation had been turned over to corporate so he might have assumed that corporate would update police. And given that corporate IT never had contact with local police, that might not have occurred to any of those team members either.

The most sinister explanation is that losing a disk of unencrypted highly-sensitive customer data—governed by federal rules—was highly embarrassing and no one wanted to mention it to police, even though there was an armed gunman loose and that piece of information might have made a difference.

Sears opted to not shed any light on how this happened. “As this is an open investigation, we have no further comment,” said Shannelle Armstrong-Fowler, director of public relations for Sears Holdings, which owns both Sears and Kmart. Note: That particular reason to not comment doesn’t quite fit this case. That’s what you’re supposed to say when the police ask you to keep crime scene details private, so that the actual crook doesn’t know everything that the police know. In this case, the issue in question—the disclosure of the backup disk being stolen—has already been announced by Sears and the details of the information withheld has been discussed openly by the police. But it still sounds good, as though Kmart’s being a good corporate citizen and not wanting to interfere with a police investigation—let perhaps withholding key details about what happened.

The reality of this situation, from a retail structure perspective, is that police need to know all details and they can’t have retailers deciding which details may or may not be crucial to an armed robbery investigation. That means that policies must be in place to immediately share data with all relevant parties, at both the local and corporate level. If an armed robber is not caught because of a Sears internal communication flow breakdown, that is a stunningly serious implication.

There is precedence for this, but generally only when the coordination is from local LP personnel with corporate LP personnel and management. But data-sharing and law enforcement coordination between IT and LP is rare. They work with each other (helping to review POS records or E-Commerce logs to help identify a shoplifter) but they rarely work with the same people. Secret Service? IT (unless it’s a counterfeit money issue). Local police? LP. FBI? Split. The cyberthief FBI folk are almost solely working with IT while major crimes involving the stores (kidnap, mass shooting) are the FBI people that work almost solely with LP.

All indications thus far are that this particular Arkansas gunman just wanted money and the disk was most likely discarded. But now that Sears has told the world that it’s stores keep thousands of that day’s most sensitive transactions in a store safe—and that they are fully unencrypted and not even password-protected—it’s quite possible that identify thieves and other cybercrooks may try breaking in, either by stealth or possibly even using the violent methods described here.

If that does happen, new levels of coordination are going to be needed. The next such information being withheld might push police to file those obstruction charges, especially because lack of corporate data-sharing is an answer that grow old really quickly. And in the meantime, Sears, can you please encrypt backups of ultra-sensitive data? If you won’t do it for traditional data security reasons, maybe you can do it to avoid tempting armed attackers?